STE WILLIAMS

Back in May of this year we wrote about a New Jersey company’s interesting interpretation of the concept of “anti-cheating” software.

Online gaming portal ESEA, short for E-Sports Entertainment, positions itself as a level playing field for serious online gamers.

By downloading and using ESEA’s proprietary anti-cheating client software, you effectively join a walled garden, or “fairness bubble,” from which dodgy players are meant to be excluded.

That means you can get down to genuine mano-a-mano contests (or perhaps, in multiplayer games, I mean mano-a-mano-a-mano-a-mano), without the disappointment of finding you are up against some sort of inhuman programmatic shooter-bot.

Of course, that makes the anti-cheat client itself a sort of bot.

It monitors the interaction between the player and the game, looking for evidence of cheating, for example by precisely timing events such as keypresses, or by grabbing screenshots.

The client can then call home with its data, await analysis from head office, receive instructions on what to do with suspected cheaters, and grab configuration tweaks and updates as new cheating techniques are discovered and mitigated.

In other words, you really have to trust the anti-cheating client not to be a cheat itself.

ESEA violated that trust.

An employee, who seems to have operated on the principle of hoping for forgiveness rather than permission (though he ultimately received neither), snuck in an code update that turned the anti-cheating client into a Bitcoin miner.

At the time, a disgruntled user, alterted to the Bitcoin mining by some give-away entries in the ESEA client log file, managed to talk to an ESEA syadmin on the phone, and received a curious admission:

It shouldn’t be any surprise, but the [anti-cheat] client is capable of doing a lot of things that people don’t know about. […] They think the client does screenshots and that’s about it. Truth be told…it probably does more than about 50 different things, because there are more than 50 ways to cheat.

[…] Funnily enough, there was a debate, a conversation, regarding the subject of using the client to mine Bitcoins. That was a joke, but at the same time it was half serious.

Actually, it turned out to have been fully serious to the very employee whom the intrepid caller had reached.

Whether the guilty party thought that he ought to get in his excuse early, now that the secret was out, or whether he just couldn’t resist taking credit for a cool hack, he felt the need to blurt out:

It turned out I actually did write code to do it, but it wasn’t supposed to be code that was everywhere. […] I restarted the server and the [configuration] setting got reset and [the mining code] actually got turned on, which was only, like, it wasn’t for very long.

We calculated how much we would actually make, if we really wanted to do it. We would make hundreds of thousands of dollars if we actually did it with everybody. But that would be pretty intense.

[Voice of caller] Not to mention kind of illegal.

At the time, ESEA netted just under $4000, a sum the company donated to charity, chipping in the same amount again from its own pocket as a sort of mean culpa.

Back in May, we asked, “Peace with honour?“

Would ESEA’s admission of guilt, we wondered, and its gesture of donating to charity, be enough to settle the matter?

We now have the answer, which is, “No!”

The New Jersey Consumer Affairs watchdog has reached an settlement with ESEA that will see the company pay a penalty of $325,000.

Actually, the penalty is a cool $1,000,000, but ESEA will be let off just over two-thirds of it ($675,000) if it behaves itself for the next ten years.

In the words of the New Jersey Attorney General’s office:

Consumers who subscribed to E-Sports’ video game anti-cheat services paid for protection from cheaters – not to be cheated by the very services they’d purchased. Companies that collect consumer information and access users’ computers have a duty to ensure that protocols and procedures are in place to protect the information they collect. Moreover, no company should obtain more access or information than is necessary to engage in the legitimate operation of its business.

ESEA, for its part, hasn’t reacted graciously at all this time, blurting out officially and in bold face that:

The settlement that was signed makes explicitly clear that we do not agree, nor do we admit, to any of the State of New Jersey’s allegations. The press release issued by the Attorney General about our settlement represents a deep misunderstanding of the facts of the case, the nature of our business, and the technology in question.

It seems that ESEA now thinks that mining Bitcoins was part of the legitimate operation of its business – something that may come as a surprise to its community.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RuBkJ2Q3dQc/

Email delivery: Hate phishing emails? You’ll love DMARC

A Wisconsin man has been sentenced to two years of probation and a fine of $183,000 after pleading guilty to taking part in an Anonymous DDoS attack against the servers of Koch Industries for one minute.

Eric Rosol, 38, pleaded guilty to one misdemeanor count of accessing a protected computer by downloading the Low Orbit Ion Cannon tool propagated by hacking collective Anonymous and using it to attack the Kochind.com website. His involvement lasted one minute before he closed down the software, but investigators were able to backtrace his IP address and bring charges.

The attack took place in February 2011 after Anonymous called for action against Koch Industries, the private company owned by Charles and David Koch. The brothers’ funding of right wing and libertarian groups attracted the ire of Anonymous, but the attack only took down the website for around 15 minutes.

Koch Industries acknowledged that the attack caused them less than $5,000 in direct monetary damages but said it hired a consulting firm to defend its website at a cost of $183,000, a bill which Mr. Rosol will now be ordered to pay.

The case is yet another where the deficiencies of the Low Orbit Ion Cannon have led to the arrest of users. The tool, which Anonymous promoted as a way to take activism online, has been mitigated in many respects as an attack tool and it now seems the authorities are getting better at back tracing it, even if it is only used for very short periods of time. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/04/oneminute_kochblocking_attack_earns_attacker_two_years_massive_fine/

Email delivery: Hate phishing emails? You’ll love DMARC

The quantum crypto business is hardly crowded, but ID Quantique is hoping to set itself apart with a 100 Gbps-capable unit.

This is hardly consumer kit, however: the target market for the QKD-plus-crypto-engine kit is outfits running multiple high capacity links, either at 1 Gbps or 10 Gbps. Think of inter-data-centre connections and you have the right idea.

CEO Gregoire Ribordy told The Register the new system, developed in partnership with venerable Australian crypto outfit Senetas, was put together with two aims in mind: addressing the heightened interest in data centre security in the wake of Edward Snowden’s NSA revelations, while at the same time avoiding the complexity that arises from deploying quantum crypto on a link-by-link basis.

The new unit from ID Quantique handles key generation, key management, and encryption for up to ten links at 10 Gbps.

At the heart of it is the company’s quantum random number generator, which provides random numbers for all encrypted channels, and as Ribordy pointed out, that’s designed to address the post-NSA concerns about crypto.

“You need to start with very high quality keys to get good encryption keys overall,” he said. “Part of the scandal of the last six months was that random number generators didn’t offer the full entropy that was expected of them.”

Keys can be exchanged either using quantum key distribution (QKD) or more familiar techniques like RSA, Ribordy said.

The unit’s aggregate capacity of ten links and 100 Gbps means that even a Google, which might run as many as 30 inter-data-centre links, would only need a few units rather than one encryptor per link. That Ribordy said, makes a big difference not just to affordability, but to manageability. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/05/quantum_crypto_pitches_at_data_centre_links/

Email delivery: Hate phishing emails? You’ll love DMARC

Microsoft has denied it was affected in any way by a claimed attack against its systems by elements of the rag-tag hacktivist collective Anonymous.

In a post to Pastebin last week, an individual claiming affiliation to Anonymous boasted that a DDoS attack against Japanese Microsoft (domain) websites and servers on or around 23 November had had a much wider affect than intended.

The poster continued: “We are sorry for any inconvenience We caused you Microsoft…” and claimed that although the Japanese websites had stayed up, many core Microsoft sites – including Hotmail.com, MSN.com, Live.com, Outlook.com and Microsoft.com – were supposedly taken out by the attacks mounted in protest against the culling of dolphins by the Japanese government (dubbed #OpKillingBay).

Many sites on Microsoft’s cloud did go down but this happened on 21 November, two days before hacktivists beat a packet to Microsoft’s door. In any case, the problems with sites on Microsoft’s Azure cloud on 21 November (Xbox One worldwide launch day) have been diagnosed as being the result of a DNS-related issue. Sites most particularly affected included Xbox.com and Outlook.com.

The activist attack would appear to be a coincidence and its supposed deep impact takes some believing, especially in the face of a denial from Redmond. The timing is wrong and the list of sites affected doesn’t match either. In response to repeated requests for comment on the supposed attack, Microsoft eventually came through with a statement saying it hadn’t even registered the supposed assault.

We are aware of reports of a distributed denial-of-service (DDoS) attack where it appears that Microsoft was not the intended target. We do not believe this alleged attack is related to any interruption of Microsoft online services.

Sean Power, security operations manager at security firm DOSarrest, said collateral damage from DDoS attacks is always a possibility, particularly when attacks are amplified. He wasn’t surprised that the hacktivists claimed a hit even though in this case it seems they didn’t sink any battleships.

“Collateral damage from a DDoS attack is very real – regardless if this is what happened or not,” Power said. “DDoS attack amplification is also very real, so is the concept of trying to legitimise traffic. This illustrates very well how attacks can be reflected from, or even amplified by trusted neighbours/partners.” ®

Bootnote

Quite how the planned attack on Microsoft Japan has anything to do with dolphin hunting in the small Japanese town of Taiji escapes us. The initial list of targets included the Japanese Ministry of Agriculture, Forestry Fisheries as well as the official site of Taiji town, as previously reported.

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/05/ms_anon_ddos_palavar/

Email delivery: Hate phishing emails? You’ll love DMARC

Computer scientists have brewed up prototype malware that’s capable of communicating across air gaps using inaudible sounds.

The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems for robust underwater communication.

In the system, communications could be maintained over multiple hops for purposes including managing malware-infected machines, as the abstract of a paper for a recent edition of the Journal of Communications explains. The researchers go on to outline possible countermeasures against such fiendish malware, including shielding systems from exposure to high frequency sounds.

Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilises audio modulation/demodulation to exchange data between the computing systems over the air medium.

The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilising the near ultrasonic frequency range.

We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications.

Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analysing audio input and output in order to detect any irregularities.

The two German researchers explain how their proof-of-concept malicious code can use a computer’s built-in sound card and microphone to send information from one infected node to another similarly compromised machines, providing bot systems are within 20 metres of each other. A painfully slow speed of just 20 bps was achieved using the method but nonetheless it might be workable for a keylogger, providing there’s no external interference.

The possibility of malware that can communicate over air-gapped machines, or worse still, spread onto them, is a nightmare scenario for those in charge of otherwise well designed ultra secure networks (think some military systems, power plants etc). The type of malware outlined by the researchers bears an uncanny resemblance to features of the BadBIOS malware said to have afflicted machines run by computer security researcher Dragos Ruiu.

Dubbed BadBIOS, the mysterious rootkit can supposedly jump over air gaps, screw with a number of different operating systems, and even survive motherboard firmware rewrites. Ruiu (AKA @dragosr) – who organises the annual popular Pwn2Own hacking contest at the CanSecWest conference – said he had come across the malware after it infected his computers but nobody else has seen it. The Register asked Ruiu about his progress in looking into BadBIOS on Tuesday but have yet to hear back.

Adam Kujawa, a security researcher at antivirus firm MalwareBytes, reckons the research shows that it’s possible for malware-infected machines to chat to each other across an air gap. But he’s far from convinced any infection is possible via the method. He suggests it is far more practical to attempt to use an infected USB stick for a targeted attack against an air-gapped network, the presumed method the ultra sophisticated Flame cyber-munition used to spread. Flame was reportedly cooked up under the same US-Israeli Operation Olympic Games programme that spawned Stuxnet.

“My theory is that this technology could be used to provide targeted malware a means of external communication for contact with a command and control server,” Kujawa writes in a blog post. “The infected system would receive commands from the server and assuming that the initial infection on the covert system was via USB drive, perhaps the malware could store stolen data on the USB.

“That data would be sent out later once the USB is able to plugged into  an outward facing system. This is similar to how Flame worked when extracting sensitive data from closed-off networks,” he added. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/05/airgap_chatting_malware/

While automated technology, network sensors and behavioral analysis are crucial to helping security professionals detect attacks against their network resources, sometimes nothing can beat good old-fashioned human observation. Security team members can only do so much to personally observe aberrant behavior, but fortunately they may have a ready source of eyes and ears in what some jaded pros might consider an unlikely pool of candidates: end users.

The fact is that end users are at the front lines of attacks—most outside incursions to the network usually involve some form of social networking or another. Instead of simply putting up posters and sending out multiple-choice questions once a year about how to avoid phishing dangers altogether, social engineering experts say organizations should seek a more realistic and robust training goal. They should be teaching employees to spot suspicious activity and report it without fear of recrimination, whether they fell for a ploy or not. Ultimately, the goal is to turn employees into a sort of human perimeter to help the security team detect attacks more quickly.

“There are many more human sensors on a network than any intrusion detection system can ever hope to have, because every employee can be one,” says Rohyt Belani, CEO of PhishMe. “If you look at the way security responders work today, they’re picking leads off of either their IDS systems or their network logs and then they are going through a similar process to find suspicious behavior. Given the right mechanisms or right sorts of tools, the humans who are resilient to these attacks actually become great reporters.”

The fact is that security has always been a game of reducing the odds of exposure rather than eliminating it. And yet, when it comes to the human element of security too many security pros are quick to disparage all end users as stupid because attacks continue to get through, says Mike Murray, managing partner for MAD Security. But that’s like saying any other piece of detection technology is worthless because it doesn’t work 100 percent of the time.

“A really motivated attacker is always going to get in—if you’ve got a skilled person, they’re going to find a way into the network. The key is quick detection and good response capabilities at that point,” Murray says. “Your IPS doesn’t stop everything, but it should tell us something that gives the SOC operator an idea about where to follow up on something. If we can get our users doing that as well, that detective capability will allow us to respond much more quickly that we can naturally.”

In many cases, human intuition may not kick in fast enough to prevent someone from falling for a phishing ploy or a malicious link altogether, but it usually happens pretty soon after the first strike, says Lance Spitzner, training director for SANS Securing The Human Program.

“When somebody gets hacked, they usually figure it out. Either their system crashes or a document looks a little weird or a particular website makes the browser act funny,” he says. “When they report it, they improve organizational resilience.”

Unfortunately, many organizations have a difficult time developing that resilience through a human perimeter because they simply don’t have the mechanisms in place to support it. According to Chris Hadnagy, chief human hacker for Social-Engineer, Inc., one of the biggest impediments to the process is a fear by employees that telling someone about a problem may get them fired. The other is not having any procedure for properly reporting it.

“One of the things we find all too often when working with companies is that they don’t have reporting agencies within their organizations,” he says. “When something bad occurs, there’s no place for the employee to say, ‘Hey, I think I just clicked a link that was bad.'”

On the back end, the organization needs to have enough manpower to handle these reports, Hadnagy says, explaining that for a Fortune 500 company with thousands of employees, “this is not a one-person job.”

Not only should this team be working to sift through these reports and triangulating them with logs and other detection technology output, but it also needs to establish solid and positive communication with the employees that send the reports to encourage future cooperation.

“If they feel like they’re going to be chewed out or punished, we create an atmosphere of fear,” he says.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/perimeter/using-the-human-perimeter-to-detect-outs/240164428

Technological defences can help a lot in protecting you from phishing and fraud.

We’re sure you’re familiar with many of them: prompt patching, anti-virus scanners with regular updates, spam blockers, web filters, firewalls, and so on.

But you’ll also have heard us urging you not to use technology as a replacement for your own caution, intuition, perspicacity, street smarts, call it what you will.

In particular, if the computer fails to say, “Don’t do it,” that’s not an automatic invitation for you to say, “She’ll be right.”

Sometimes, she won’t be right, and the crooks will have enticed you into a final step you come to regret.

Keeping street smart online

That’s why we urge you to think before you click on links in unsolicited emails, especially if they are urging you to use the link to sign in to an online service.

That’s to protect you from phishing, where cybercriminals take to you a login screen that looks like the real deal but isn’t, causing you to give away your username and password to an imposter website.

We also urge you to be cautious of email attachments, especially if you weren’t expecting them.

That’s to protect you from booby-traps, where cybercriminals feed you a crafty file such as a document or image that is deliberately rigged up to crash your browser (or PDF reader, or multimedia player, or whatever) and sneakily infect you with malware.

So far, so good.

But what if you do open an innocent-sounding attachment, and everything seems OK – no exploit, no booby-trap, no drive-by malware install?

You didn’t click on any links in the original email, so perhaps you think that you’re past the stage of being phished, and are ready to let your guard down?

Don’t do that, not least because documents such as PDF files can contain clickable links, just like the HTML in an email or on a web page.

And if the email contains the attachment, and the attachment contains the link, then the rules of transitivity apply.

You may remember that from school – it sounds fancy but it isn’t: for example, if A is bigger than B, and B is bigger than C, then A is bigger than C.

In other words, if you click on a link in an attachment, and the attachment came in an email, you are effectively clicking a link in the email.

It’s easy to lose track of that fact, not least because when you launch an attachment, it usually opens in an application like Adobe Reader or Microsoft Word, not in your browser – giving you the feeling that you have left email and its related risks behind.

Link-free phishing emails

The crooks are aware of this cognitive disconnect, and here’s a perfect example that Savio Lau and his fellow threat researchers in SophosLabs Vancouver just spotted.

You receive an unsolicited email that’s supposed to be from a real estate company:

It’s not exactly the most believable invitation in the world.

(Reputable real estate agents wouldn’t make so many errors of grammar and formatting in such a short message. They probably wouldn’t say, “Hi.” And if they worked for RE/MAX in a managerial role, they’d know how to write the company’s name properly.)

But it contains no links, which seems like a good sign – if phishing needs links, then surely no links means no phishing?

Also, the attachment isn’t booby-trapped, and it contains real data, plus the ripped-off logo of a genuine real estate company:

Again, it’s not the most believable document, not least because you just vaulted from one realtor to another.

But by simple cutting and pasting from a genuine web page into a Word document, followed by printing out that document as a PDF, the crooks have moved their clickable links out of the original email, and into a file that opens neither in your browser, nor in your email client.

Better yet for the crooks, it all works equally well on Windows, Mac, Linux and even mobile devices.

If you click on one of the links in the PDF, you supposedly return to the real estate website, but you are asked to login first:

You really shouldn’t fall for this, not least because Windows Live and the Hotmail brand were consigned to the scrapheap of history nearly nine months ago – you won’t have seen them anywhere official recently.

On the other hand, the idea of a site such as a real estate company piggy-backing its login process on an existing service provider – Facebook and Twitter are very popular for this – is surprisingly common these days.

And some PDF readers (Preview on OS X, for example), don’t make it easy to see where a clickable link is going to take you, a precaution you are probably used to in your browser.

Of course, if you do fall for the login dialog, you’re not just giving away your credentials to the crooks.

You’re revealing them to anyone sniffing the network between your PC and the server, because the crooks aren’t using HTTPS:

(Incidentally, in the fake login window above, clicking [Close] and [Sign in] have exactly the same effect: whatever is in the input boxes is sent unencrypted to the crooks.)

What to do

Technology would probably have saved you up front: a decent email filter or endpoint anti-virus would block the email or its attachment before you opened it, and a decent web filter would stop you clicking through from the PDF itself.

But the street smart advice we mentioned at the start would save you too:

• Think before you click on links in unsolicited emails.
• Be cautious of email attachments, especially if you weren’t expecting them.

And if you’re the go-to guy for IT amongst your friends and family, keep on reminding them this holiday season, won’t you?

Follow @duckblog

Note. Sophos products detect and block the bogus attachment shown above as Troj/Phish-DC.

Image of topiary chain courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8acLX8YTpcI/

Email delivery: Hate phishing emails? You’ll love DMARC

Researchers have uncovered a massive cache of stolen account credentials which could impact some two million users.

Security firm Trustwave said that its SpiderLabs reconnaissance team has detected a malware operation which has been able to pilfer account credentials on infected machines and build an archive of lifted passwords for services including Facebook, Yahoo and Google.

The attackers also harvested thousands of account credentials for remote desktop services, FTP connections and secure shells.

The attack, which appears to use a derivative of the Pony malware, appears to be largely concentrated on Russian-speaking sites and services, say researchers. While much of the command and control traffic was traced to the Netherlands, researchers noted that the operation likely uses proxies to hide the true location of its control systems.

The company did not report any widespread attacks on the sites themselves related to the password thefts.

While the malware itself is known and the infection can be prevented by installing and maintaining antivirus and security tools, Trustwave noted that the breach highlights a larger, and ongoing, security problem.

An analysis of the stolen credentials would suggest that in many cases, the malware operators would have been able to compromise many accounts simply by guessing. The Trustwave researchers noted that among the dumped passwords, low-security choices such as simple numeric sequences were by far still the most common choices.

Trustwave reports that for many of the stolen passwords, only one type of character was chosen and in many cases the passwords remained extremely short. Just 22 per cent of the observed passwords used a long, strong, and multiple character password classified as “good” or “excellent” by the company and 28 per cent were considered “bad” or “terrible” password choices.

The use of simple, easily-guessed passwords has long been a problem at nearly every level of IT from system admins to chief security officers and anti-malware vendors. Experts recommend that in addition to avoiding blatantly stupid choices such as “12345”, users avoid dictionary words and pick log-ins that mix both cases and alphanumeric characters.

Unfortunately, says Trustwave, there is little indication that those efforts to educate users are gaining much traction. The company noted that when compared to a similar password dump analyzed in 2006, the collection suggests that users are in fact relying more on common passwords, with the top 10 most common accounting for 2.4 per cent of all of those harvested.

Even if you’ve not been infected, now would be a good time to seriously consider changing, strengthening, and diversifying your passwords. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/04/two_million_terrible_passwords_stolen_by_malware_attackers/

Email delivery: Hate phishing emails? You’ll love DMARC

A Wisconsin man has been sentenced to two years of probation and a fine of $183,000 after pleading guilty to taking part in an Anonymous DDoS attack against the servers of Koch Industries for one minute.

Eric Rosol, 38, pleaded guilty to one misdemeanor count of accessing a protected computer by downloading the Low Orbit Ion Cannon tool propagated by hacking collective Anonymous and using it to attack the Kochind.com website. His involvement lasted one minute before he closed down the software, but investigators were able to backtrace his IP address and bring charges.

The attack took place in February 2011 after Anonymous called for action against Koch Industries, the private company owned by Charles and David Koch. The brothers’ funding of right wing and libertarian groups attracted the ire of Anonymous, but the attack only took down the website for around 15 minutes.

Koch Industries acknowledged that the attack caused them less than $5,000 in direct monetary damages but said it hired a consulting firm to defend its website at a cost of $183,000, a bill which Mr. Rosol will now be ordered to pay.

The case is yet another where the deficiencies of the Low Orbit Ion Cannon have led to the arrest of users. The tool, which Anonymous promoted as a way to take activism online, has been mitigated in many respects as an attack tool and it now seems the authorities are getting better at back tracing it, even if it is only used for very short periods of time. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/04/oneminute_kochblocking_attack_earns_attacker_two_years_massive_fine/

Email delivery: Hate phishing emails? You’ll love DMARC

The NSA is maintaining a mobile device tracking program that logs up to five billion updates per day around the world, according to a new report.

The Washington Post, citing government sources and documents leaked by Edward Snowden, reports that the US intelligence agency has built a massive database of locational information gathered as part of its wiretapping activities that can be used to map out user activity around the globe.

According to the report, the locational data is not deliberately targeted by authorities, but rather is obtained when the agency targets a single individual’s mobile activities and monitors that person’s communications.

In the process of collecting the surveillance data, the NSA is said to also be obtaining locational information from other handsets which connect to a mobile communications tower or wi-fi hotspot to initiate communications. This allows the NSA to gather locational data on all devices within a certain area at any given time.

The report suggests that the collected information is used by the NSA to identify possible associates and accomplices for a known target. By analyzing the locational data and finding common numbers across logs on multiple towers, analytics tools are able to eventually spot devices which appear alongside the target.

Government sources told the post that the collection is only being used to track possible ‘co-travelers’ and has not been deemed by NSA officials to be illegal surveillance.

The report did not mention any involvement from the GCHQ, though the UK intelligence service has previously proven to be deeply involved with the NSA on many of the electronic surveillance activities brought to light by former contractor Snowden.

The revelation is the latest in what has already proven to be a government surveillance program whose scope reaches beyond anything previously imagined by most citizens. That program has included massive collections of phone records, web correspondence and surfing activities by individuals suspected of terrorism and serious crimes.

The revelations have triggered a debate over the extent to which governments should have surveillance capabilities and has brought backlash from many firms in the private sector who have objected to the covert tapping of their private networks and internal correspondence. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/05/nsa_collects_up_to_five_billion_mobile_phone_locations_daily/